The workshop will also provide a thorough guide on how the mobile applications can be attacked and provide an overview of how some of the most important security checks for the applications are applied and get an in-depth understanding of these security checks.
Course Content:
Android Introduction & Basics
Setting up the Pen testing environment
Reverse engineering & runtime manipulation
Application dynamic runtime analysis
Application Components and security issues
Data and Network interception – manipulation and analysis
Defensive Tools & Techniques for Android application
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture.
The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. As a bonus, an overview of pentesting Tizen applications will also be presented along with some of the security implications. There will be comparisons made to traditional Android applications and how these security issues differ with Tizen.
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture.
The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. As a bonus, an overview of pentesting Tizen applications will also be presented along with some of the security implications. There will be comparisons made to traditional Android applications and how these security issues differ with Tizen.
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
Puma Scan is a software security Visual Studio analyzer extension providing real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing may be dropped to help the team “catch up.” Everyone wants more secure development; they just don’t want to spend time or money to get it. Gene Gotimer describes his experiences with implementing a continuous delivery process in the cloud and how he integrated security testing into that process. Gene discusses how to take advantage of the automated provisioning and automated deploys already being implemented to give more opportunities along the way for security testing without schedule disruption. Learn how you can incrementally mature a practice to build security into the process—without a large-scale, time-consuming, or costly effort.
How to scale threat modelling activities across many applications and large development teams using templates and risk patterns.
Introducing IriusRisk Community edition
Presentation given at O'Reilly Security Amsterdam 2016
DevOps is changing the way that organizations design, build, deploy and operate online systems. Engineering teams are making hundreds, or even thousands, of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world and take advantage of the opportunities provided by continuous integration and delivery pipelines.
In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve their security posture. After identifying the key security checkpoints in the pre-commit, commit, acceptance, and deployment lifecycle phases, we will explore how unit testing and static analysis fit into DevSecOps. Live demonstrations will show how to identify vulnerabilities pre-commit inside the Visual Studio development environment, and how to enforce security unit tests and static analysis in a Jenkins continuous integration (CI) build pipeline. Attendees will walk away with a better understanding of how security fits into DevOps, and an open source .NET static analysis engine to help secure your organization’s applications.
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
The paper is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.
AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what’s left for you to secure? Quite a bit it turns out.
The OWASP top 10 is as relevant to you as ever; DOS attacks are still a threat even if you can probably brute force your way through it as AWS auto-scales Lambda functions automatically; and did you know attackers can easily steal your AWS credentials via your application dependencies?
In addition to the traditional threats, serverless applications have more granular deployment units and therefore there are more things to configure and secure, and the tools and practices are still catching up with this fast changing world.
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Slides from my beginner level talk on FRIDA and its usage while Pentesting Android Applications. Covers topics like Installation of Frida and Bypassing Pinning and Root Detection using Frida.
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
Puma Scan is a software security Visual Studio analyzer extension providing real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
Hacking Tizen : The OS of Everything - Nullcon Goa 2015Ajin Abraham
Tizen is an operating system which is built to run on various kinds of devices. Tizen OS defines following profiles based on the devices types supported.
Tizen IVI (in-vehicle infotainment)
Tizen Mobile
Tizen TV, and
Tizen Wearable
Samsung's first Tizen-based devices are set to be launched in India in Nov 2014. This paper presents the research outcome on the security analysis of Tizen OS. The paper begins with a quick introduction to Tizen architecture which explains the various components of Tizen OS. This will be followed by Tizen's security model, where Application Sandboxing and Resource Access Control powered by Smack will be explained.
The vulnerabilities in Tizen identified during the research and responsibly disclosed to Tizen community will be discussed. This includes issues like Tizen WebKit2 Address spoofing and content injection, Buffer Overflows, Issues in Memory Protection like ASLR and DEP, Injecting SSL Certificate into Trusted Zone, (Shellshock) CVE-2014-6271 etc. Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. Overview of pentesting Tizen application will be presented along with some of the issues impacting the security of Tizen application. There will be comparisons made to Android application, and how these security issues differ with Tizen.
For eg: Security issues with inter application communication with custom URL schemes or intent broadcasting in Android as opposed to using MessagePort API in Tizen. Issues with Webview & JavaScript Bridge in Android compared to how the web to native communication is handled with Tizen etc.
Tizen is late to enter into the market as compared to Android or iOS, which gives it the benefit of learning from the mistakes impacting the security of mobile OS, and fixing these issues right in the Security Architecture. To conclude, a verdict would be provided by the speaker on how much Tizen has achieved with regard to making this mobile OS a secure one.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
Injecting Security into Web apps at Runtime WhitepaperAjin Abraham
This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.
Better Security Testing: Using the Cloud and Continuous DeliveryGene Gotimer
Even though many organizations claim that security is a priority, that claim doesn’t always translate into supporting security initiatives in software development or test. Security code reviews often are overlooked or avoided, and when development schedules fall behind, security testing may be dropped to help the team “catch up.” Everyone wants more secure development; they just don’t want to spend time or money to get it. Gene Gotimer describes his experiences with implementing a continuous delivery process in the cloud and how he integrated security testing into that process. Gene discusses how to take advantage of the automated provisioning and automated deploys already being implemented to give more opportunities along the way for security testing without schedule disruption. Learn how you can incrementally mature a practice to build security into the process—without a large-scale, time-consuming, or costly effort.
How to scale threat modelling activities across many applications and large development teams using templates and risk patterns.
Introducing IriusRisk Community edition
Presentation given at O'Reilly Security Amsterdam 2016
DevOps is changing the way that organizations design, build, deploy and operate online systems. Engineering teams are making hundreds, or even thousands, of changes per day, and traditional approaches to security are struggling to keep up. Security must be reinvented in a DevOps world and take advantage of the opportunities provided by continuous integration and delivery pipelines.
In this talk, we start with a case study of an organization trying to leverage the power of Continuous Integration (CI) and Continuous Delivery (CD) to improve their security posture. After identifying the key security checkpoints in the pre-commit, commit, acceptance, and deployment lifecycle phases, we will explore how unit testing and static analysis fit into DevSecOps. Live demonstrations will show how to identify vulnerabilities pre-commit inside the Visual Studio development environment, and how to enforce security unit tests and static analysis in a Jenkins continuous integration (CI) build pipeline. Attendees will walk away with a better understanding of how security fits into DevOps, and an open source .NET static analysis engine to help secure your organization’s applications.
Abusing, Exploiting and Pwning with Firefox Add-onsAjin Abraham
The paper is about abusing and exploiting Firefox add-on Security model and explains how JavaScript functions, XPCOM and XPConnect interfaces, technologies like CORS and WebSocket, Session storing and full privilege execution can be abused by a hacker for malicious purposes. The widely popular browser add-ons can be targeted by hackers to implement new malicious attack vectors resulting in confidential data theft and full system compromise. This paper is supported by proof of concept add-ons which abuse and exploits the add-on coding in Firefox 17, the release which Mozilla boasts to have a more secure architecture against malicious plugins and add-ons. The proof of concept includes the implementation of a Local keylogger, a Remote keylogger, stealing Linux password files, spawning a Reverse Shell, stealing the authenticated Firefox session data, and Remote DDoS attack. All of these attack vectors are fully undetectable against anti-virus solutions and can bypass protection mechanisms.
AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what’s left for you to secure? Quite a bit it turns out.
The OWASP top 10 is as relevant to you as ever; DOS attacks are still a threat even if you can probably brute force your way through it as AWS auto-scales Lambda functions automatically; and did you know attackers can easily steal your AWS credentials via your application dependencies?
In addition to the traditional threats, serverless applications have more granular deployment units and therefore there are more things to configure and secure, and the tools and practices are still catching up with this fast changing world.
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Slides from my beginner level talk on FRIDA and its usage while Pentesting Android Applications. Covers topics like Installation of Frida and Bypassing Pinning and Root Detection using Frida.
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
Frida is an instrumentation framework which is greatly helpful for dynamic analysis. This presentation was a part of my talk at @Nullblr - https://null.co.in/event_sessions/2039-getting-started-with-frida-on-android-apps
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.
How Android utilizes its Linux core in the heart of its security architecture
Presented at August-Penguin 2015, Israel Open-Source organization conference
http://ap.hamakor.org.il/2015
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
6. Android File System
Android uses the Linux file
system structure which has
a single root.
Etc
Sdcard
Sdcard-ext
7. Android -
Permission
model &
sandboxing
• Android assigns a unique user ID (UID) to each
Android application and runs it in its own process.
• Android uses the UID to set up a kernel-level
Application Sandbox
• On Android, each app runs as its own “user”, as far
as the kernel is concerned (UID), and the kernel
guarantees that different “users” are unable to
interfere with each other, access each other’s files.
9. Android Application
Fundamentals
Android apps are written in the Java programming language.
The Android SDK tools compile your code—along with any data
and resource files—into an APK: an Android package, which is an
archive file with an .apk suffix.
One APK file contains all the contents of an Android app and is
the file that Android-powered devices use to install the app.
10. Java code into
apk
Java code
Javac complier
.class file(byte code)
Dx complier
Classes.dex code or we
can say dalvik executable
code
Then .apk
11. Android
Components
Content Provider
Activity
Services
Broadcast Receiver
intents
Intents bind individual
components to each other at
runtime (you can think
of them as the messengers
that request an action from
other components),whether
the component belongs to
your app or to other.
13. Setting the Android Emulator & other
required settings.
Download santaku VM
Download appie for windows os
Download Genymotion
Deployed a Andorid custom 6.0 OS image into Genymotion
Start android OS from the Genymotion
Both vm shouldbe same network
Ping android OS ip from the santaku OS
14. Penetration Testing Approach
Static Penetration testing
Code in rest, app is not running
Decompile apk
Analysing the source code
Dynamic penetration
testing
App is running
Bypassing restrictionby hooking
the app
Analysing the application using
burp suite
Runtime manipulation
16. Tampering and Reverse Engineering
Reverseengineering a mobile app is the process of analyzing the compiled
app to extract informationabout its source code. The goal of reverse
engineering is comprehending the code.
Tampering is the process of changing a mobileapp (either the compiled
app or the running process) or its environment to affect its behavior. For
example,an app might refuse to run on your rooted test device,making it
impossible to run some of your tests. In such cases, you'll want to alter the
app's behavior.
17. Apk De-compilation
There are many tools to De-compilationa apk
Let's try frist method
Apktool d name.apk
You will get a folder with smalli code
Try to explore all these folder
21. Reading the class files
Let's try to explore every file we are got after Apk de-compilation
Go to each and evey folder
See all filename also
Try to find hard coded information
Search about the username, password,
Search about the algortitham md5,sh1, sha256,
22. Hands on – Very
Basic Bypass
Application
Restrictions
Postlogin.smali
Search method showroot
status
Search keyword like device
not rooted
Device rooted
Try to read it
23. Hands on - Bypass
Application
Restrictions
Add a line
Goto: cond_2
24. Hands on - Recompile and Resign the
APK
Apk b foldername
java -jar sign.jar InsecureBankv2.apk
adb install filename.apk
Run the application
You will finddevice not rooted.
25. Hands on –Authorization bypass using
code Tampering
Apktool d insecurebankv2.apk
InsecureBankv2/res/values
String.xml
Modify the value of “is_admin” from “no” to “yes”
Apktool b insecurebankv2
Sign the apk
Install the apk
You will see a new button create user
26. Frida
As per frida website:
“ It’s Greasemonkey for native apps, or, put in more technical terms, it’s a
dynamiccode instrumentation toolkit. It lets you inject snippets of
JavaScript or your own library into native apps on Windows, macOS,
GNU/Linux,iOS, Android, and QNX.
Frida also provides you with some simple tools built on top of the Frida API.
These can be used as-is, tweaked to your needs, or serve as examples of
how to use the API.”
27. Frida
We need to install some python packages for frida server.
For this enter following commandin terminal:
python -m pip install Frida
python -m pip install objection
python -m pip install frida-tools
Or
pip install Frida
pip install objection
pip install frida-tools
28. Frida-server
We need to download the frida server package for our android device
according to our device’s arch version.
https://github.com/frida/frida/releases/
To find out the arch version of the device, run following command.
adb shell getprop ro.product.cpu.abi
To cut short download following if deviceconfiguration is the same as
mentionedabove:
frida-server-12.4.7-android-x86.xz
frida-server-12.4.7-android-x86_64.xz
31. Finding hard coded credentials
D2j-dex2jar insecurebankv2.apk
Jdgui jarfile.jar
Search like username
Search like password
Devadmin usernamefound
Also called developer backdoor
32. Insecure data storage
insecurestorage of data. Many developers assume that storing data on
client-side will restrict other users from having access to this data
Shared folder
External storage like sdcard
Sqlite3 data base
33. Drozer
one of the essential tool in Android Application Security Assessment.
Drozer is already installedin the Appie, if you using it then no need of
installation and setup procedure.
By default the server is listening on Port Number 31415 so in order to forward
all commands of drozer client to drozer server we will use Android Debug
Bridge[ADB] to forward the connections.
Type adb forward tcp:31415 tcp:31415 in the console.
Type drozer console connect and it will spilt the screen and open the drozer
in the other part.
34. Invoking Activities
using drozer
Now you can just type on list in the
drozer console and it will list all
the modules which came pre-installed
with Drozer .
run app.package.attacksurface
<<package name>>
Attacking on Activities via Launching
Activities:
Activities list from a package
run app.activity.info -a
<<package_name>>
To launch any selected activity
run app.activity.start –component
<<package_name>>
<<activity_name>>
37. Weak hashing algoritham
filemySharedPreferences.xml.
Username and the password was stored in encrypted format in the file.
Value of the “superSecurePassword”
Check the file cryptoclass.classs in jdgui
AES/CBC/PKCS5PADDING
38. Exploiting content
provider using
drozer
run app.package.attacksur
face <<package name>>
Finding the uri
Run
app.provider.finduri <<pack
age name>>
Run app.provider.query
uriname
39. Hands on - Using broadcast receivers
am broadcast -a theBroadcast -n
com.android.insecurebankv2/com.android.insecurebankv2.MyBroadCastR
eceiver --es phonenumber 971867 –es newpass heythere
<do it yourself with frida at home>
Run app.broadcast.info --package <packagename>
Run app.broadcast.send -- <<<do it your self>>>
40. Exploiting misconfiguration Android
back up
./adb backup –apk –shared com.android.insecurebankv2
When prompted on the emulator, click on the “Back Up my Data” option.
.ab file
Convert file into readble format
cat backup.ab | (dd bs=24 count=0 skip=1; cat) | zlib-flate -uncompress >
backupdata.tar
41. Web view vulnerability
WebViews are used in android applications to load content and HTML
pages within the application. Due to this functionality the implementation
of WebView it must be secure in order not to introduce the application to
great risk
Xss at webview
Accesing local files
42. Mobsf
"Mobile Security Framework (MobSF) is an automated, all-in-one mobile
application (Android/iOS/Windows) pen-testing, malware analysis and
security assessment framework capable of performing static and dynamic
analysis. " --- by github page
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security-
framework-mobsf:latest
49. Code
Obfuscation
Techniques
Obfuscation helps protecting your application
against reverse engineering.
Android ProGuard tool to obfuscate, shrink, and
optimize your code.
ProGuard renames classes,fields,and methods with
semantically obscure names and removes unused
code
Let's obfuscate an app and see how Proguard works
51. Insecure Network connections
▪ Protect the data while in transit
▪ Most commonly used protocol is HTTP or HTTPS –
▪ HTTPS should be used
▪ Never use setAllowsAnyHTTPSCertificate:forHost:
▪ Fail safe on SSL error - Implement the connection:didFailWithError: delegate
▪ Not to redirect to http
52. Benefits of Mobile Application Code Reviews
Detect injection flawsDetect
Detect backdoors or suspicious codeDetect
Detect hardcoded passwords and secret keysDetect
Detect weak algorithm usage and hardcoded keysDetect
Detect the data storage definitionsDetect